squirrelmail 1.4.11 and 1.4.12 are compromised
Kevin Fenzi
kevin at scrye.com
Sat Dec 15 18:17:02 UTC 2007
On Sat, 15 Dec 2007 13:50:03 +0100
shrek-m at gmx.de ("shrek-m at gmx.de") wrote:
> Kevin Kofler schrieb:
> > shrek-m <at> gmx.de <shrek-m <at> gmx.de> writes:
> >
> >> nice to see that
> >> 1.4.13 f8 is complete
> >> 1.4.13 f9 (rawhide) is complete
> >> http://koji.fedoraproject.org/koji/packageinfo?packageID=473
> >>
> >> please push them asap to updates.
They should go out with the next push.
> > Look closer at the announcements, they have been compromised
> > post-release, and fairly recently (around December 8), the 1.4.11
> > in F8 was packaged much earlier, so it should be safe.
Indeed this was the case. The reason for the 1.4.13 update was to
prevent confusion about if the version in fedora is vulnerable or not.
(It is not).
Looking at the compromised source and checking it against the 1.4.11
source in the fedora lookaside cvs cache, it is NOT vulnerable. It has
the orig md5sum of the released 1.4.11 and none of the tampering.
It was uploaded to the fedora lookaside cache before the compromise.
In any event, 1.4.13 should be pushed soon and hopefully help get rid
of the confusion.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20071215/69020ec5/attachment.bin
More information about the test
mailing list